Search for packages
| purl | pkg:npm/electerm@3.7.9 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3crq-bu3h-mbfw
Aliases: CVE-2026-43941 GHSA-fwf6-j56g-m97c |
Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click ### Impact Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to `shell.openExternal` without any protocol validation. When a user connects to a malicious SSH server, the attacker can print a crafted URI in the terminal output. If the victim clicks the link, `shell.openExternal` executes it using the operating system's default protocol handler. This can be abused to: - Trigger dangerous protocol handlers (`ms-msdt:`, `search-ms:`) for code execution - Open local files or network shares (`file://`, UNC paths) to leak NTLM hashes or exfiltrate data - Launch any installed application associated with a custom URI scheme An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. ### Patches As of electerm v3.7.9, no official patch has been released. Users should monitor the project’s [GitHub releases](https://github.com/electerm/electerm/releases) and [security page](https://github.com/electerm/electerm/security) for an update addressing this issue. ### Workarounds Until a patch is available: - Do not click on any links displayed in terminal sessions connected to untrusted servers. - If possible, disable hyperlink rendering in electerm's terminal settings. - Use a terminal multiplexer (e.g., tmux) or a separate terminal application that filters URI schemes when working with untrusted hosts. - Consider running electerm in a restricted environment (sandbox, AppArmor, SELinux) that limits the spawning of protocol handlers. ### Resources - [electerm GitHub Repository](https://github.com/electerm/electerm) - [electerm Security Policy](https://github.com/electerm/electerm/security) - Vulnerability details originally reported by external researcher (confirmed on v3.7.9, Win10). | There are no reported fixed by versions. |
|
VCID-ajw6-7y87-8fcm
Aliases: CVE-2026-43942 GHSA-37j4-88rp-2f6h |
Electerm's full process.env exposed to renderer via window.pre.env ### Impact The `getConstants()` IPC handler in `src/app/lib/ipc-sync.js` serialises the entire `process.env` object and sends it to the renderer. The data is stored as `window.pre.env` and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context). On developer and CI machines, `process.env` routinely contains secrets such as: - `AWS_SECRET_ACCESS_KEY` / `AWS_SESSION_TOKEN` - `GITHUB_TOKEN` / `NPM_TOKEN` - `OPENAI_API_KEY` / `DOCKER_AUTH` - Internal service credentials, API keys, and database URLs An attacker who achieves any JavaScript execution within the renderer—for example, through a malicious plugin, a cross-site scripting (XSS) flaw, or the terminal hyperlink execution chain—can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. The exposure is visible even without any code execution by simply opening the "Info" modal in the application, though that requires local access. ### Patches A patch is yet to be available. ### Workarounds Until a patch is released: - Avoid launching electerm with sensitive environment variables set. Use shell scripts or a dedicated terminal profile that clears secrets before starting the application. - Do not install plugins from untrusted sources, and audit any installed plugins for network access. - Keep the renderer context as locked down as possible: disable the remote debugging port, and do not paste untrusted code into the DevTools console. ### Resources - [electerm GitHub Repository](https://github.com/electerm/electerm) - [electerm Security Policy](https://github.com/electerm/electerm/security) - Vulnerability details originally reported by external researcher (confirmed on v3.7.9, Win10). | There are no reported fixed by versions. |
|
VCID-awzs-n9wv-63fg
Aliases: CVE-2026-43940 GHSA-f77v-9vpc-6pjm |
Electerm runWidget has a path traversal that leads to arbitrary code execution ### Impact The `runWidget` function in `src/app/widgets/load-widget.js` constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation: ```javascript const file = `widget-${widgetId}.js` const widget = require(path.join(__dirname, file)) ``` Because `runWidget` is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a **path traversal** (`../`) to load and execute an arbitrary JavaScript file anywhere on the victim’s filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. ### Patches Fixed in version >= 3.7.16 ### Workarounds Until a patch is released: - Do not install or run untrusted plugins. - Avoid loading arbitrary web content inside electerm’s embedded webview (for example, disable any features that fetch and display remote HTML). - Run electerm in a sandboxed environment (e.g., with `bubblewrap` on Linux, AppArmor/SELinux profiles, or Windows sandboxed app execution) to limit the impact of any code execution. ### Resources - [electerm GitHub Repository](https://github.com/electerm/electerm) - [electerm Security Policy](https://github.com/electerm/electerm/security) - Vulnerability details originally reported by external researcher (PoC confirmed on v3.7.9, Win10). |
Affected by 3 other vulnerabilities. |
|
VCID-g3g6-vkjc-2kg6
Aliases: CVE-2026-43944 GHSA-mpm8-cx2p-626q |
Electerm users can run dangrous code through link or command line ### Impact _Arbitrary local code execution via deep links, CLI `--opts`, or crafted shortcuts. Affected users: electerm installs that accept protocol URLs or CLI options (affected versions listed in the original report). Exploit requires clicking a crafted `electerm://...` link or opening a crafted shortcut/command that launches electerm with attacker-controlled `opts`._ ### Patches Fixed in version > 3.8.8 commits: - https://github.com/electerm/electerm/commit/8a6a17951e96d715f5a231532bbd8303fe208700 - https://github.com/electerm/electerm/commit/a79e06f4a1f0ac6376c3d2411ef4690fa0377742 - https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507 ### Workarounds - Disable or unregister electerm protocol handlers (Deep Link settings) and avoid clicking `electerm://` links. - Do not run electerm with untrusted `--opts` arguments or open `.lnk` / `.desktop` files from untrusted sources. - Restrict which users can launch electerm on shared machines and avoid leaving electerm installed in locations reachable by other users. - As a temporary measure, run electerm in a confined account or sandbox (non-admin user) to reduce impact. ### References - Report / credit: https://github.com/Curly-Haired-Baboon - Electerm releases: https://github.com/electerm/electerm/releases |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-w4u7-qfnj-wucz | Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor ### Impact A code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system editor or open with a custom editor, the filename is passed directly into a command line without sanitization. A malicious actor controlling the SSH server or user OS can exploit this by crafting a filename containing shell metacharacters. If a victim subsequently attempts to edit this file, the injected commands are executed on their machine with the user's privileges. This could allow the attacker to run arbitrary code, install malware, or move laterally within the network. <img width="1792" height="817" alt="1" src="https://github.com/user-attachments/assets/ddf78890-e95d-4fe7-981e-f86887677e8b" /> <img width="1648" height="941" alt="2" src="https://github.com/user-attachments/assets/cca2295b-2053-4d99-a464-be51eac2f5be" /> ### Patches Fixed in version >= 3.7.9 - https://github.com/electerm/electerm/commit/24ce7103e264cffe6eb5476c0506a2379e6f8333 ### Workarounds Until a patch is available, it is strongly recommended to: - Refrain from using the open with system editor or "Edit with custom editor" feature when connected to untrusted or unfamiliar SSH servers. - Consider using the built-in editor for viewing files, as this path may not be vulnerable to the same injection. - If the feature must be used, ensure connections are exclusively established with trusted servers and perform rigorous filename validation before editing. ### Resources - [electerm GitHub Repository](https://github.com/electerm/electerm) |
CVE-2026-43943
GHSA-q4p8-8j9m-8hxj |